Two major EU frameworks, NIS2 and the Digital Operational Resilience Act (DORA), are reshaping the cybersecurity and operational risk landscape for Irish financial entities. These regimes are particularly relevant for insurers underwriting directors & officers (D&O) and cyber policies, as they introduce new exposures, governance obligations, and compliance-driven demand.
NIS2
Ireland missed the original transposition deadline of 17 October 2024 for the EU NIS2 Directive. The National Cyber Security Bill 2024 is now at an advanced drafting stage and has been designated a legislative priority. It is expected to be enacted before the end of 2025, pending completion of pre-legislative scrutiny.
Once enacted, the Bill will impose sweeping obligations on approximately 4,000 Irish organisations, spanning sectors from healthcare to digital infrastructure. It introduces a federated model of regulation, assigning sector-specific oversight to designated National Competent Authorities (NCAs), a shift that may complicate compliance for multi-sector insurers and intermediaries.
Most SMEs will be classified as “important entities”, subject to lighter ex-post supervision, but still required to self-assess and register with the National Cyber Security Centre (NCSC).
Key obligations include:
- Incident reporting within 24 hours of a significant cyber event
- Board-level accountability, with potential personal liability for directors in cases of oversight failure or gross negligence
- Supply chain risk management, requiring firms to assess and secure third-party ICT dependencies
Regulators now expect auditable evidence of cyber governance, documented training, signed-off incident response plans, and active board engagement. These expectations raise the bar for defensibility in coverage disputes and may prompt insurers to revisit exclusions, policy triggers, and aggregation language across PI and tech E&O portfolios.
Digital Operational Resilience Act
In force since 17 January 2025, DORA applies directly to insurers, intermediaries, and other financial entities with no transitional period. Firms were required to submit their ICT third-party contract registers by April 2025, and must now demonstrate compliance across five pillars:
- ICT risk management
- Incident reporting
- Resilience testing
- Third-party oversight
- Threat intelligence sharing
Market challenges
Despite rising adoption rates, cyber insurance continues to exhibit significant coverage gaps, particularly among SMEs and in personal cyber protection. 56% of agents report clients lack understanding or appreciation of the coverage. This is compounded by cyber exclusions in D&O policies, which often omit coverage for data breaches, regulatory fines and third-party liabilities.
Coverage ambiguity
The regulatory landscape under NIS2 and DORA intensifies these concerns on two fronts.
Firstly, NIS2 imposes direct personal liability on directors and senior management for cybersecurity failures. Sanctions can be severe and include fines and temporary disqualification from managerial roles.
Secondly, DORA expands accountability in financial institutions, holding executives responsible not only for internal ICT resilience but also for third-party compliance failures.
Yet many D&O policies remain silent or ambiguous on cyber triggered liabilities. The overlap between cyber and D&O coverage, especially for SMEs, creates a grey zone of protection, and where there are gaps in cover this leaves boards vulnerable to regulatory investigations and reputational damage following cyber incidents.
Reassessment for insureds and insurers
As NIS2 and DORA reshape the compliance landscape:
- Organisations must work with their brokers to reassess any insurance cover gaps in order to align with evolving regulatory expectations.
- Should the risk landscape increase, we would expect underwriters to reassess the questions asked on proposal forms and the pricing and scope of cover to maintain profitability. At present pricing remains competitive but perhaps disproportionately so compared to the risk of claims.
Organisations in Ireland looking to mitigate cyber risks and comply with their regulatory obligations are likely to increase demand for cyber cover and D&O cover with cyber extensions. Under NIS2, directors could be exposed to claims stemming from cyber incidents, and unless cyber risks are affirmatively covered, insurers may deny cover, creating uncertainty and potential coverage gaps.
For further advice on how NIS2 and DORA apply to your organisation, get in touch with our experts.
